Ransomware struck industries hard in 2020, and 2021 is shaping up to be no different. The REvil Ransomware group, which targeted several hospitals last year, has made a series of attacks last month. In the last two weeks alone, the group has hit 9 large organizations across Africa, Europe, Mexico, and the United States. Within the US, companies hit include law firms, an insurance firm, an architectural company, and an agricultural co-op. The Ransomware group is being tracked by cybersecurity researchers at eSentire.
REvil, also known as Sodinokibi or Sodin, was quiet for some years before resurfacing in 2019. The group behind the malware have hit several high-profile targets like Grubman Shire Meiselas & Sacks, Travelex and Brown-Forman Corp. REvil has also being reported on many hospital systems. Due to it being sold as Ransomware-as-a-Service (RaaS), it is frequently witnessed in infections.
The cybercriminals have posted much of the stolen data to Dark Web already. These include company computer file directories, partial customer lists, customer quotes, and copies of contracts. Researchers said they also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies.
It is speculated a part of the gangs’ success has been in part due to their use of the Gootloader malware loader, which is designed to seed the virus. The loader has previously been seen to deploy REvil as well as the Gootkit Malware family. Beyond REvil, Gootloader has been reported as launching the Kronos Trojan and Cobalt Strike Malware. SaferNet reported on Gootloader and Gootkit in an article last week.
Researchers said they have seen REvil expanding its extortion tricks tactics and procedures (TTPs) to now contact victims’ business associates and the media, in order to put on the maximum amount of pressure on the victim to pay. They noted that in the last couple of days, the threat group also appears to be updating its website to make it easier to browse its victim list.
REvil SSN And Personal Records Breach
One of the larger attacks the REvil hackers took part in last month was a devastating attack on IT infrastructure and managed services firm Standley Systems. During the attack, the group managed to steal troves of personal information, including SSNs, service contracts, medical documents, personal data from Standley’s clients, and passports and licenses of Standley’s employees.
“Your customers have entrusted you with the most valuable thing – their backups and data for storage, but you have not coped with your task,” REvil wrote on its leak site. “Even after we provided you with the lost data, we did not hear a single word in response. Accordingly, you don’t give a damn about your customers … You are disrupting both your reputation and the reputation of people who have trusted you with their safety.”
The Standley Systems data was first posted to the REvil site on Feb. 15 and was then taken down from the site for some time before reappearing more recently. The information might have been taken down due to the start of negotiations between REvil and Standley and then reposted once talks between the two sides fell through.
The six Standley customers mentioned on REvils’ dark web site are natural gas producer Chaparral Energy, oil company Crawley Petroleum, injury evaluator Ellis Clinic, gas exploration company Everquest Energy Corporation, the Oklahoma Medical Board; and structural steel fabricator W&W Steel.
Generally, the Ransomware gang will first post a snippet of stolen data to a website; this is a tactic to ensure the company are frightened and become compliant. If the company is unmoved, the gang will auction the data.
REvil likes to go after data that can be used for identity theft or data that creates liability issues for clients of the victim organization. More than 1,300 companies lost intellectual property and other sensitive information last year after ransomware operators published their data to a leak site.
REvil Ransomware Analysis
Deployments of REvil first were observed a few years ago, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:
- Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
- Whitelists files, folders and extensions from encryption.
- Kills specific processes and services prior to encryption.
- Encrypts files on local and network storage.
- Customizes the name and body of the ransom note, and the contents of the background image.
- Exfiltrates encrypted information on the infected host to remote controllers.
- REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.
REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. The RaaS is operated as an affiliate service, where affiliates spread the malware by acquiring victims and the REvil operators maintain the malware and payment infrastructure. Affiliates receive 60% to 70% of the ransom payment.
Unkown has acknowledged that his Ransomware is based on the now-retired GrandCrab Ransomware, saying, “We used to be affiliates of the GandCrab affiliate program. We bought the source code and started our own business. We developed custom features for our purposes”
REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.
Protection Against Ransomware
REvil and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.